symfony 1.3.2 and 1.4.2

February 13, 2010
Kris Wallsmith

We have just released the latest stable versions of symfony: 1.3.2 and 1.4.2. These releases include numerous bug fixes and one security fix. The bundled version of Propel has also been updated to version 1.4.1. We recommend all 1.3.x and 1.4.x projects upgrade to these latest releases immediately.

The security fix

A cross-site scripting (XSS) vulnerability was discovered in the form framework's widget classes that render collections of radio buttons or checkboxes and their labels. This hole has been closed.

Bug fixes

We were able to address a number of bugs that have been reported in the 2+ months since 1.3.0 and 1.4.0 were first released. Some highlights from the changelog include:

fixed enabling of local csrf protection when disabled globally

fixed submission of disable form fields by browser

fixed double escaping of partial vars

updated doctrine and propel forms to allow setting of defaults on numeric fields from within configure

fixed form filtering by 0 on a number column

fixed doctrine pager iteration

fixed sfValidatorDoctrineChoice in cloned forms

fixed empty class attributes in WDT markup

updated web debug javascript to work when the dom includes an svg element

fixed sfDomCssSelector requires quotes for matching attribute values when they should be optional

The XSS fix is problematic if you want your labels to contain HTML code (links for example). Seems that there is no possibility to switch off escaping in special cases when you are sure that the labels are static and not set from user's input.

The only solution is to use a custom formatter that subsequently removes the escaping.

Thank you so much for turning off xdebug_logging by default! Pages in my dev env are now typically processing in 150ms compared to 500ms (1.4.1)! So it's now 70% faster, which means I get things done 70% quicker - great job!